Configuring Venafi TPP to use the Futurex Adaptable CA Driver
Thos section covers the following topics:
- Manage credentials
- Create a CA template
- Create a certificate policy
The identity and TLS client certificate created for the Venafi Adaptable CA service must be added as "credentials" in Venafi TPP.
To define user credentials, perform the following steps:
Log in to the Venafi TPP web UI.
Select Policy Tree in the main menu.
In the main policy tree, select Add > Credential > Username Credential.
In the Username Credential window, add the username and password created contained inside the credential.txt file extracted from the Venafi Adaptable endpoint zip.
Click [ Save ].
The TLS client PKCS #12 file (i.e., pki.p12) is used to mutually authenticate with the , allowing only authorized operation and establishing an encrypted tunnel to prevent man-in-the-middle eavesdropping on traffic. To define TLS client certificate credentials in Venafi TPP, perform the following steps:
Log in to the Venafi TPP web UI.
Select Policy Tree in the main menu.
In the main policy tree, select Add > Credential > Certificate Credential.
In the Certificate Credential window, give the credential a name and choose the option to import a certificate and select the pki.p12 file you extracted from the Venafi Adaptable CA endpoint zip the generated for the service.
Specify the corresponding private key password contained within the pki-password.txt file that was also extracted from the Venafi Adaptable CA endpoint zip.
Once the certificate is successfully imported, select [ Save ] to complete the process.
To create CA templates in Venafi TPP, perform the following steps:
emplLog in to the Venafi TPP web UI.
Select Policy Tree in the main menu.
In the main policy tree, select Add > CA Template > Adaptable. The Add New Adaptable window will appear.
Define the following General and Connection fields:
- CA Name: the desired CA name.
- Username Credential: the username credential you created.
- Certificate Credential: the certificate credential you created.
- Service Address: the IP address or hostname and the Host API port number contained inside the info.txt file (it must be in the format shown in the image below).
- Profile String: the container name and name of the issuing CA certificate on the (it must be in the format shown in the image below).
- PowerShell Script: Futurex KMES CA
If custom X.509 extensions, validity periods, or Futurex approval groups are desired, define them in the Custom Fields section. Note that for these to be visible, the FuturexCreateCustomFields.ps1 script must have been successfully run.
Select [ Validate ] to test the connection and authentication with the . This can take up to 5-15 seconds to complete.
Select [ Save ].
To create certificate policies, perform the following steps:
Log in to the Venafi TPP web UI.
Select Policy Tree in the main menu.
In the main policy tree, select Add > Policy. The Add New Policy window will appear.
Define the policy name and any other desired settings and select [ Save ].
Navigate to the Certificate tab for the new policy.
In the Other Information section, select the three dots next to the CA Template field and select the CA template you created.
Select [ Save ].